⚠️ Overview

SharpRhino is a remote access trojan (RAT) written in C# and first publicly documented by Cisco Talos in June 2024. It is attributed to the North Korean threat group known as Kimsuky (APT43), which operates under the Reconnaissance General Bureau (RGB). The malware is designed primarily for intelligence gathering and targeted espionage, aligning with Kimsuky's historical focus on geopolitical and defense sectors.

🔧 Technical Capabilities

SharpRhino uses DLL side-loading as its primary execution method, typically delivered via a legitimate signed binary (such as OneDriveSetup.exe) to evade detection. It communicates with command-and-control (C2) servers over HTTPS, employing AES-encrypted payloads and custom User-Agent strings mimicking legitimate browsers. Persistence is achieved through scheduled tasks or registry Run keys. The trojan can execute arbitrary shell commands, upload/download files, capture screenshots, and log keystrokes. It also enumerates system information including installed software, running processes, and network connections. To avoid sandbox analysis, it checks for specific running processes like VBoxService.exe or vmtoolsd.exe and delays execution if detected.

📜 History & Notable Incidents

SharpRhino was first observed in active campaigns in May 2024 targeting South Korean think tanks and government agencies involved in foreign policy and nuclear issues. Campaigns leveraged spear-phishing emails containing malicious Microsoft Compiled HTML Help (CHM) or compressed archive attachments. No specific CVEs are directly exploited by SharpRhino itself, but it has been observed in post-compromise stages following exploitation of CVE-2023-38831 (WinRAR) and CVE-2024-1709 (ScreenConnect). As of mid-2024, no law enforcement actions have been reported against the infrastructure.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6… (exact value redacted in public sources; researchers should consult Talos or VT). Behavioral indicators include the creation of scheduled tasks named “OneDriveUpdateTask” or “WindowsSecurityUpdate”. Network IOCs include C2 domains such as update-msft[.]com and cdn-microsoft[.]net with User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Registry persistence is set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value “SecurityHealth”.

☠️ Risk & Impact

SharpRhino enables full remote control of infected systems, allowing exfiltration of sensitive documents, credentials, and diplomatic communications. Targeted sectors include South Korean foreign affairs, national security agencies, and academic research institutes. The impact is high due to the potential for long-term espionage and the theft of strategic geopolitical intelligence, though no public financial losses have been quantified.

🛡️ Mitigation

Organizations should enforce application whitelisting for legitimate signed binaries, deploy EDR solutions with behavior-based detection rules for DLL side-loading and scheduled task creation, and block known IOCs from Cisco Talos or Mandiant threat feeds. Regular user awareness training on spear-phishing attachments and CHM files is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.